Profile Applicability:


  • Level 1


Description:
This control ensures that the Amazon S3 bucket used to store AWS CloudTrail logs is not publicly accessible. Public access to CloudTrail log buckets can lead to unauthorized exposure of sensitive security and operational data. Properly configuring S3 access policies, disabling public access, and enforcing encryption ensure that only authorized users and services have access to the logs.


Rationale:
CloudTrail logs contain detailed records of account activity, including authentication attempts, resource changes, and configuration modifications. If the S3 bucket storing these logs is publicly accessible, it could expose sensitive data to external parties, leading to security breaches or compliance violations. Restricting public access ensures that logs remain confidential, intact, and accessible only to authorized entities such as security and compliance teams.


Impact:
Positive Impact: Protects sensitive CloudTrail data from unauthorized access and supports regulatory compliance (e.g., ISO 27001, SOC 2, GDPR, HIPAA).
Negative Impact: None — restricting public access has no operational downside.


Default Value:
By default, S3 buckets do not allow public access. However, improper configurations (e.g., public ACLs or bucket policies) can inadvertently expose data.


Pre-Requisite:

  • AWS CloudTrail must be enabled and configured to deliver logs to an S3 bucket.
  • IAM permissions required:
    • s3:GetBucketPolicy
    • s3:GetBucketAcl
    • s3:PutBucketPolicy
    • s3:PutBucketPublicAccessBlock


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 → Buckets.

  3. Select the CloudTrail log bucket (e.g., my-org-cloudtrail-logs).

  4. Go to the Permissions tab.

  5. Under Block public access (bucket settings), ensure that all options are Enabled, including:

    • Block all public access

    • Block public ACLs

    • Block public bucket policies

    • Restrict public bucket policies

  6. Review the Bucket Policy and Access Control List (ACL) sections to ensure no public access (Principal: *) is granted.

  7. Confirm that the bucket is not publicly accessible.


Implementation Plan

Using AWS Console:

  1. Go to the AWS S3 Console → Buckets.
  2. Select the CloudTrail log bucket.
  3. Click on the Permissions tab.
  4. Under Block public access (bucket settings), click Edit.
  5. Check Block all public access and confirm the setting.
  6. Click Save changes.
  7. Review and, if necessary, update the Bucket Policy:
    • Ensure no statements contain "Principal": "*" with "Effect": "Allow".
    • Retain only necessary permissions for CloudTrail and authorized IAM roles.
  8. Review the Access Control List (ACL) to ensure only authorized accounts or services have access.
  9. Verify access by using the Public Access indicator on the bucket overview page (should show “Bucket and objects not public”).


Backout Plan

Using AWS Console:

  1. Navigate to S3 → Buckets → [CloudTrail log bucket].

  2. Click Permissions → Block public access (bucket settings).

  3. Click Edit and uncheck the public access block options (only if absolutely required for business use).

  4. Click Save changes and confirm the update.

  5. Update the Bucket Policy accordingly to allow controlled access if necessary.


References: